skip to Main Content

I need the end-to-end encryption, so current the setup is:

example.com -> Route53 -> LB (TCP :80/443) -> Nginx Ingress with SSL certs installed

Is it possible to do something like:

example.com -> Route53 -> CloudFront -> LB (TCP :80/443) -> Nginx Ingress with SSL certs installed

When I’m attaching the same certificate to CloudFront, I’m getting a 502 CloudFront error. I listed example.com in Alternate Domain Names and LB DNS name mylb123.elb.us-east-2.amazonaws.com as Origin Domain Name. Documentation says that Origin Domain Name should match one of the names in SSL certificate that is assigned to the origin, but the SSL was provisioned for real domains like example.com, for sure it does not include *.elb.us-east-2.amazonaws.com etc. This confuses me.

Can you please suggest on how to setup SSL on CloudFormation side or passthrough it and handle SSL on Ingress side?

Update:

The SSL certificate is issued by DigiCert, it’s not self-signed.

2

Answers


  1. Chosen as BEST ANSWER

    I found the resolution in a non-related question.

    To make SSL work without 502 ERROR The request could not be satisfied error, I had to specify my domain (e.g. example.com) as Alternate Domain Name in CloudFront distribution, attach the SSL certificate provisioned for example.com and, very important, whitelist Host header in the cache behavior. This makes SSL handshakes work between CloudFront and Nginx.


  2. For your origin, in your case instance, you must have valid public SSL certificate. It can’t be self-signed. This means that you need to have a proper, public domain for which you register such a certificate.

    AWS ACM free SSL certs do not work with instances, unless in enclate, so you have to use a third party to get such an SSL certificate. Popular choice is https://letsencrypt.org/. Alternatively, you can front your instance with ALB and get free SSL from ACM.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search